Vulnerability Disclosure Program
Maintaining the security of our networks is a high priority at LVRG. Our information technologies provide critical business operations. Ultimately, our network security ensures that we can accomplish our mission and further enable our customers business goals. The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and LVRG recognizes that fostering a close relationship with the community will help improve our own security. So if you have information about a vulnerability in a LVRG website or web application, we want to hear from you!
- Any web properties owned by LVRG are in scope of the program.
- Customers of LVRG, or non LVRG sites behind our infrastructure are out of scope.
LVRG pledges not to initiate legal action against researchers as long as they adhere to this policy.
How to Submit a Vulnerability: To submit a vulnerability report to LVRG’s Product Security Team, please send an email to firstname.lastname@example.org.
What we would like to see from you:
- Well-written reports in English will have a higher chance of being accepted.
- Reports that include proof of concept code will be more likely to be accepted.
- Reports that include only crash dumps or other automated tool output will most likely not be accepted.
- Reports that include products not on the covered list will most likely be ignored.
- Include how you found the bug, the impact, and any potential remediation.
- Any plans for public disclosure.
What you can expect from us:
- A timely response to your email (within 2 business days).
- An open dialogue to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- An expected timeline for patches and fixes (usually within 120 days).
- Credit after the vulnerability has been validated and fixed.
Public Notification. If applicable, LVRG will coordinate a public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously. In order to protect our customers, LVRG requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.
NTIA reminder on public disclosure. Finders do not create vulnerabilities. The fact that one finder does not disclose its existence does not guarantee that another will not find it - or has already found it. Finders may have reasons to want to disclose the vulnerability publicly. A [coordinated] disclosure situation is preferable to one without control. Vendors may want to express preferences on when finders publicly talk about vulnerabilities.